Tuesday, March 07, 2006

Are you insecure?

I have a wireless router as part of my home computer network.
I use the hard-wired side of it to link my desktop computer with Maria's, since our desks face each other in close proximity in our home office.
I used the wireless, or Wi-Fi, side of it to access the internet from my laptop. I'm doing that now as I write this.
When Maria's daughter Morgan is home from college, she uses the Wi-Fi to connect her desktop to the network from her room.
When my friend Tim helped me install our first wireless router - we're on our third now - he did a cursory test of its range by keeping his laptop connected as he backed out of our driveway. He reported he lost the signal about the time he reached the street.
My router is supposed to have a range of 150-200 feet, so it's not inconceivable that someone could park in front of the house and piggyback onto the signal.
I was aware of that possibility but didn't give it much thought - after all, this is a sleepy little country town of 1,500 and besides, our side of the street is posted for no parking.
But when we got the laptop last spring and started connecting to the router whenever we powered up, I noticed that my next-door neighbor in the big yellow house to the north of us also has a wireless router. Occasionally on power-up, our laptop would lock onto his signal at a quite usable strength of 2 bars out of 5.
I immediately realized that if I could see his network signal, he could see ours.
I didn't really think he was any kind of a hacking or snooping threat, but I wasn't eager to be proven wrong. So I decided to explore the encryption instructions that came with my D-Link router. It was a bit of a challenge because the geeks who wrote the instructions assumed that the reader had a working knowledge of the vocabulary of Wi-Fi, which I did not. I went to Barnes & Noble, got a vente mocha and browsed through a copy of "Wi-Fi for Fucking Morons," made some notes and went home to give it a try. I finally sorted it out and now have a secure network with its own name (Pearlsend, since we live at the south end of Pearl Street), accessible with a password.
My neighbor's network appears in my laptop's list of available networks as "linksys," the name of the router manufacturer, and "unsecured wireless network." I discovered last June, as we drove west on our photo safari, that the air in most cities is filled with unsecured wireless networks named "linksys" and "dlink."
That's because most people just plug the things in, make sure they can get a signal, and never bother to use the encryption features.
With so many open networks, piggybacking in an urban environment it a pretty easy thing, especially in apartment buildings where there are lots of tightly clustered living spaces. Other than marginally slowing the host's broadband connection with added traffic, I figured it was mostly a harmless thing.
But then I read a piece by Glenn Fleischman at wifinews.com.
He references a recent New York Times story about piggybacking that's a pretty comprehensive look at the subject.
But here is what Fleischman said that really got my attention:
Worse, however, is that a local network is usually given less scrutiny by firewalls and thus a user who piggybacks onto your network and whose machine is infected with viruses and worms could unintentionally compromise your systems. That’s a bigger risk, in my view. Now I feel even better about having a security-enabled wireless network. I might even mention it to my neighbor.

2 comments:

Kevin said...

One more thing. Most wi-fi comes with encryption standards. WEP which stands for Wireless Equivalent Protection is badly broken. In many cases, it can take as little as 10 minutes of eavesdropping your encrypted traffic to break the key. For true security, choose WPA. Select a long key that is not a common word, phrase, kids name, birthday etc. Use upper and lower case letters, numbers and punctuation (special) characters.

For additional info on wireless security and computer security in general, there is a really good series of podcasts called Security Now. Episodes 10, 11, and 13 deal with wireless security.

http://www.grc.com/SecurityNow.htm

The Oracle said...

Excellent points!
Thanks, Kevin!